[CentOS] OT: closing a port on home router

Wed Sep 23 17:14:26 UTC 2015
James B. Byrne <byrnejb at harte-lyne.ca>

On Wed, September 23, 2015 00:11, Always Learning wrote:
>
>
> That is great. When I started on Linux that was one  of the very
> first things I did. Every machine, including servers, has port 22
> replaced by a unique alternative port. Port 22 is also blocked in
> IPtables.
>
> There is an army of dangerous nutters attempting to break-in to
> everything. They often mask their attacks using compromised Windoze
> computers all around the world.
>

Changing the port that sshd listens on solves nothing from a security
perspective.  The only people that this action deflects are the
script-kiddies. Who are admittedly numerous and who can be dangerous
but usually are just low-talent opportunists.

Moving the port by itself still opens a functioning connection to the
internet on a service that is inherently susceptible to brute force
and rainbow attacks.  The 'dangerous' people on the Internet will find
this port in a heartbeat and they are far more worrisome than the
script-kiddies.  Since you absolutely must build a defence against
these opponents anyway then you might as well leave the service on the
default port to avoid screwing up legitimate users expectations.

I grant that dealing with an excessive logfile volume can be a
consideration.  However, this issue is often best dealt with through
scripting your own analysis and reporting programs or employing
someone else's.  And is often solved with an aggressive set of
firewall rules.  In fact, the volume of entries should be a good
indication of how well your defence is serving you.  As you tighten
the access rules and dynamically block persistent abusers then the
volumes should drop and stay fairly low.

Moving the port by itself is like rearranging the deck chairs on a
sinking ship.  It does not address the fundamental issue.   Plus
assignment to a non-standard port adds to maintenance and support load
since it must be separately accounted for each time it is referenced.


-- 
***          e-Mail is NOT a SECURE channel          ***
        Do NOT transmit sensitive data via e-Mail
James B. Byrne                mailto:ByrneJB at Harte-Lyne.ca
Harte & Lyne Limited          http://www.harte-lyne.ca
9 Brockley Drive              vox: +1 905 561 1241
Hamilton, Ontario             fax: +1 905 561 0757
Canada  L8E 3C3